Key facts
- Microsoft's Secure Boot, designed to protect against firmware infections, has been bypassable for 13 of its 14 years.
- Researchers discovered 11 unrevoked firmware images (shims) that Microsoft had signed, some dating back to 2013.
- These shims allow attackers with basic knowledge to circumvent Secure Boot on Windows and Linux devices.
- The bypass enables the installation of persistent malicious firmware.
- Microsoft revoked the vulnerable shims in its June patch release after the issue was reported.
Microsoft's Secure Boot, an industry standard designed to protect devices from firmware infections, has been vulnerable to bypass for 13 of its 14 years of existence. Researchers at security firm ESET discovered that old, unrevoked firmware images, known as shims, which were used to extend Secure Boot to Linux devices and utility software, remained signed by Microsoft despite known vulnerabilities. These shims, some dating back to 2013, can be exploited by novice hackers to completely circumvent the protection embedded in a device's UEFI firmware.
ESET researcher Martin Smolár explained that the danger lies not in a novel vulnerability, but in the fact that no new exploit is needed. Attackers only require a copy of an old, trusted, but unrevoked shim binary and a basic understanding of UEFI shims to bypass this critical security feature. This vulnerability affects both Windows and Linux users, as the shim can be installed on devices running either operating system, allowing attackers to install malicious firmware that loads early in the boot process and persists even after the OS is reinstalled or the hard drive is replaced.
Microsoft, which oversees the signing of these shims, failed to revoke the publicly available images after vulnerabilities were discovered. This lapse, potentially due to the complexity of Secure Boot's database management and revocation mechanisms like SBAT and Secure Boot SVN, allowed the issue to persist for over a decade. The company finally revoked the 11 identified shims in its June monthly patch release after ESET brought the issue to the attention of CERT and Microsoft. Even the expiration of Microsoft's signing certificate late last month was insufficient to revoke these specific vulnerable shims.
